seventh national hipaa summit
DESCRIPTION
Seventh National HIPAA Summit. HIPAA Compliance Case Study: HIPAA and Academic Medicine - Lessons Learned Past, Present and Future. Marti Arvin. University of Louisville Privacy Officer Phone: 502-852-3803 Fax: 502-852-3855 Email: [email protected]. Past, Present, and Future. - PowerPoint PPT PresentationTRANSCRIPT
Seventh National HIPAA Summit
HIPAA Compliance Case Study:
HIPAA and Academic Medicine - Lessons Learned Past, Present and Future
Marti ArvinUniversity of Louisville
Privacy Officer
Phone: 502-852-3803Fax: 502-852-3855
Email: [email protected]
3
Past, Present, and Future
BACKGROUNDTwo different institutional approachesTwo different implementation models
LESSONS LEARNEDFUTURE STRATEGIES
4
BACKGROUND
DIFFERENT COVERED ENTITY SETTINGSUniversity of Pittsburgh Medical CenterUniversity of Louisville
DIFFERENT IMPLEMENTATION MODELSUPMC ModelU of L Model
5
University of Pittsburgh Medical Center
Single covered entity for Medical Center20 + hospitals2 large physician practicesSeveral smaller physician practicesHome healthLong term careAffiliation with, but separate from the
University
6
University of Louisville
Hybrid Covered EntitySchool of Medicine
Faculty PracticesUniversity Contracted Clinics
School of DentistrySchool of Nursing
7
University of Louisville
Department of PsychologyOther Miscellaneous Clinical SettingsGroup Health PlanFour Hospitals as primary affiliates
8
Implementation Models
UPMC model Started January 2002Created and filled position of Director of
HIPAA program officeCreated HIPAA workgroups based on
segments of the regulation
9
UPMC Implementation Model
Drafted singled notice to be used by all business units in the Medical Center
Drafted system level general policies Allowed business units to draft policies
and procedures specific to the business unit
10
UPMC Implementation Model
Examples of business unit specific policiesDistribution of Notice and recording
acknowledgementHospitalPhysician Offices
Accounting for DisclosuresHospital (paper based)Physician Offices (web enabled tracking tool)
11
UofL Implementation Model
Started Jan-Feb 2003Separate organized efforts in various
schools and programsMeeting at least minimal requirements by
April 14, 2003Created the position & hired me as
university privacy officer June 2003
12
UofL Implementation Model
Different groups based on area of focusResearchPhysician PracticesAffiliated HospitalsDental School
13
LESSONS LEARNED
People tend to think in their own frame of reference
While late is still better than never – late is problematic
Central function is often better than decentralized
Any legal document needs legal review
14
LESSONS LEARNED
Customer service is criticalA little knowledge is dangerousUse your PR staffUnlike Y2K, we are not done with HIPAANo one is perfect
15
People think in their own frame of reference
Examples:The notice
Notices drafted with references to specific type of business unit
Solutions any reference to hospital was changed to “hospital or
facility” Any reference to medical records department was
changed to “doctor or place where you received care”
16
While late is still better than never – late is problematicA late start in preparing for HIPAA is
better than no start at allProblems with late starts
Everything is done in a panicNo chance to scrutinize
Advantage of late startLearn from others
17
Central function is often better than decentralized
Centralized function allows forBetter controlsConsistent answers to questionsObtain economy of scale
Decreases burden on individual business units
Must be a coordinated effort
18
Any legal document needs legal review
A little thing can make a big difference Legal review after wordsmithing
A single word can change the meaning Notice language
Acknowledgment states patient has read notice States patient has the right to amend their PHI
Business Associate Agreement Indemnification clause that is not legally binding on state
entity Authorization
Does not include the required elements Does not include state law issues
19
Customer service is critical
Good customer service can eliminate many issuesPatients want to opt out of fundraisingPatients do not want their information used
or disclosed a certain wayPatients think their rights have been violated
20
A little knowledge is dangerous
Employees can go overboard on HIPAATo get PHI, promise your first born child
Individuals mix up various sections of HIPAA
Educate, Educate, Educate
21
Use your PR staff
Notice plain language requirementUser friendly documentsNothing in HIPAA prevents a little PR in
your documents
22
Unlike Y2K, we are not done with HIPAA
April 14, 2003 has come and gone, so we’re done
TCS remainsSecurity remainsHIPAA’s ongoing compliance issues
remain
23
No one is perfect
Accept the fact that there will be mistakes
Don’t beat yourself upDon’t beat others up
24
FUTURE STRATEGIES
Coordinate with components of HCE for TCS
Be better prepared for SecurityContinue development of a HIPAA
compliance program